Nick recently published an article on digital security. My article piggybacks off those concepts by taking a deep dive into how to establish secure communications, something all the more critical during our hyper-reliance on remote working capabilities, online services, etc.
The Internet: Land of opportunity but fraught with stranger danger
Today’s digital landscape increases the complexity with which we communicate. Various platforms, devices, numbers, and networks create a complicated web where it’s easy to become overwhelmed. While we have more options to connect globally and rapidly share information, so do the bad guys. More options, while creating redundancy for us, present additional attack vectors for them. Hence the need for a well-established communications plan that affords you privacy and security.
“That could never happen to me”… until it does
Your individual threat model will dictate what your comms plan needs to look like, and from what it should be reasonably expected to protect you. However, there are a few general principles one can use to create a relatively secure (read: encrypted) plan that sufficiently protects you and your data. A few threat model examples follow:
Are you a power-moves state prosecutor that spends weekends righteously indicting high-ranking cartel hitmen in absentia? You need private and secure comms.
Are you a military member who’s deployed overseas (or have a security clearance, for that matter) and worked in dangerous environments against elements threatening our interests abroad? This plan is for you.
Are you a law enforcement professional that makes countless arrests of violent and dangerous criminals on a daily basis, many of who harbor no regrets harming an officer or their family? Start protecting your family with what you can control.
Are you an investigative reporter with a need to securely communicate with sources and expose wrongdoings, injustices, or malign activity? Read on.
Are you an attorney responsible for the confidential and discreet transmission of client data in support of a high-stakes business deal? Private and secure is the name of the game.
Are you an average Joe that has a family to protect, and who you want to keep safe while exercising your fundamental right to communicate privately and securely, free of government, hacker, or criminal interference? Look no further.
What you can expect
This discussion is not all-inclusive, nor is it legal advice or the absolute best way to build a private and secure communications plan for you and your family. There are many ways to communicate securely; today, we are only establishing a framework.
The perfect plan does not exist, and absolutely nothing is guaranteed to be able to withstand the constantly changing tactics used by governments, hackers, criminals, and others from attempting to compromise your communications.
This guide will provide some basic principles for how to begin thinking about your communications vulnerabilities and how to design a communications plan that works to mitigate them. It provides some general heuristics for communications and information security that can be leveraged to give you a reasonable level of privacy and security in your journalism. This is a purpose-built framework.
The beginner’s guide
In my opinion, the best way to demonstrate how to establish a comms plan is to actually discuss the steps with some color commentary along the way. So let’s start from scratch, and go through a few basic steps that can be followed to create a commercially-based comms plan. The endstate for the reader is to have a deeper contextual understanding of secure and private communications; an understanding that can be applied to everyday life. All of this would ideally be conducted before the need for such a plan arises, and not after the fact or when under duress.
The best part? The plan is only “two steps!”
1. Select a platform
We need a platform, i.e. the means by which we intend to communicate. For our purposes, we are going to start with a smartphone due to its ubiquitousness, accessibility, and effectiveness. Your platform could also be an online profile, a laptop, or anything else. The principles remain the same. With your platform in mind, you must first privately (and legally) acquire a device and SIM card.
For the high-risk folks, find a trusted and uninvolved third party, provide them with local currency, and have them purchase a prepaid phone on your behalf. This ensures you avoid CCTV, cameras, and casual observers. Identification may or may not be requested, depending on your location, but is typically not legally required.
For the slightly less
paranoid aware, a less stringent option is to use local currency to purchase a gift card, and then walk yourself to BestBuy, an Apple store, or an equivalent to select a phone.
If circumstances allow, one may assume the risk of conducting a factory reset on an old device, or your current device, and using that as the foundation for the new secure communications plan. This, however, is not recommended as it risks cross-contaminating anything from the old plan with the new. The goal is to keep everything separate, “clean”, and compartmentalized.
The same above options also generally apply to SIM card purchases, if a SIM does not come with your device already. An option is to purchase cheap SIM cards used for testing cell networks, where a provider will allow you to test their network for a trial period before committing to their service.
2. Activate accounts and complete setup
Once your new device is in hand, we must activate it and complete our initial setup. Again, there are a few options depending on your threat model and the amount of time and resources at your disposal.
For the high-risk folks, find a public location, which you do not frequently visit, that has free public WiFi, e.g. a Starbucks. Ideally, this location is geographically distant from the purchase location and anywhere else in your daily routine, and does not host a number of cameras or CCTVs, etc. We advise taking a circuitous route and not going directly from the purchase location to the setup location. It is also important to ensure you were not followed from your purchase location. Such details matter.
Connect to the free WiFi and download at a minimum: a secure end-to-end encrypted messaging application, a privacy-oriented internet browser like Firefox, a secure end-to-end encrypted email service, and a Virtual Private Network (VPN) provider application. These four “third party” options will become the backbone of your communications plan. Third-party applications are critical as neither the phone manufacturer (i.e. Apple) nor service provider (i.e. Orange) have access to or control the third parties. This is beneficial when working in an environment where the adversary has almost unlimited resources at their disposal.
These are not official endorsements, but we strongly recommend the following: Signal Messaging app, Wickr, ProtonMail, ProtonVPN, and Private Internet Access (PIA) VPN. Research and choose accordingly.
After downloading the applications, we require a secure tunnel through which to access the internet. Any time you are in a public location or not connecting to the internet through a gateway you trust (i.e. your bureau router), you are vulnerable. A mitigation tactic is using a VPN, which essentially creates an encrypted tunnel from your device to the internet.
Approach the Starbucks counter and once more use cash to pay for a gift card. PIA VPN accepts a number of common gift cards as payment. In the Firefox browser, navigate to the PIA VPN website, where the gift card can be used to set up an anonymous VPN account. While VPNs are not unbeatable, you can rest easier knowing that whenever you choose to use your smartphone’s data plan, your internet service provider or cell service provider cannot access your traffic. Assuming someone had an insider at a telecommunications company, or a warrant to view your internet traffic, all they would see is the encrypted traffic from your device to the internet, but little more.
We now must configure our secure messaging application. We will use Signal as an example. While the phone you just purchased does have a phone number attached to it, we can mitigate the risk of compromise by not sharing it with others. Protecting your dialed number minimizes the number of attack vectors back to you. For more context, study the dangers of “SIM swapping attacks.”
Signal requires a phone number upon registration. Rather than using your new device’s given phone number, navigate to Google Voice or other Voice over Internet Protocol (VoIP) number provider (i.e. Blur, MySudo, etc.) and create an account. VoIP numbers are not typically tied to actual phones but are capable of forwarding to cell phones, and also do not tie back to a phone service provider, which makes them less vulnerable to exploitation and tracking. Register for the Signal app using your VoIP number. Set up call forwarding so that whenever you receive a call or text to your VoIP number, it forwards to your actual device. This can be done in the VoIP provider settings.
For additional security, review your application settings to verify there is no leakage, i.e. ensuring messages and app data are not being automatically backed up to the cloud, etc.
What we just did
We now have a “clean” phone purchased with cash, connected to the internet via an encrypted tunnel in a “safe” public location we will not visit again, and can receive and make calls, texts, and video through a third-party messaging application that itself relies on end-to-end encrypted data transmissions. In summary, we are communicating encrypted messages through an already encrypted tunnel and doing so with relative privacy and security. We say relative because nothing is foolproof, and nation-states have many resources and capabilities they can leverage. But again, foolproof depends on your threat model.
Why does this matter?
Generally speaking, the only way someone can access your communications now is by physically accessing your device. Please ensure it is password protected and encrypted.
When enabled, your internet service provider only sees the encrypted VPN tunnel. Paid VPN service providers are usually better and have less spillage, especially ones that cannot access your data themselves (study “zero knowledge encryption” for more). Your phone provider only knows you downloaded the third party applications but does not have access to any of the content, assuming you have reviewed your cloud and data backup settings.
You can replicate these methods for your family or team members and employ secure and private communications in both domestic and international settings. Efficacy varies depending on the country. Many countries have less appreciation and respect for citizens’ privacy and are more intrusive with their monitoring of telecommunications data. This plan significantly mitigates this intrusiveness.
You can now communicate unimpeded and make yourself a harder target for criminals, hackers, and government surveillance.
We believe a good plan executed now is better than a perfect plan executed next week, namely because perfect does not exist. Again, this guide in no way secures your anonymity and does not discuss other targeting vectors. This guide simply presents a basic framework into secure communications using solely publicly accessible means. The cost of security is convenience. However, if your threat model warrants such measures, an ounce of prevention is worth a pound of cure.
Thanks for listening.